Federal policy	Overview / Who is affected	Secure products that help meet these requirements
CIPA (Children's Internet Protection Act) Key information security principles involved: Web content filtering Content control Data leakage	CIPA requires schools and libraries with "computer Internet access" to certify that they have Internet safety policies and technology protection measures in place, e.g., software filtering technology, to receive discounts for Internet access and internal connections under the schools and libraries universal service support mechanism (e-rate). Specifically, the safety policy must address the following issues: Access by minors to inappropriate content Preserving the safety of minors when using email, chat rooms, and other direct electronic communications Preventing minors from unauthorized access, "hacking" and other unlawful activities Unauthorized disclosure, use, and dissemination of personal information regarding minors Access by minors to harmful material Who does CIPA Impact? All public schools and public libraries having an Internet connection that allows public use, and that receive most types of federal funding. When are schools and libraries required to be in compliance with CIPA? Schools have been required to be compliant since July 1, 2003. Libraries must come into compliance by July 1, 2004. What are schools and libraries required to filter? "Internet access to visual depictions that are--(A) obscene, as that term is defined in section 1460 of title 18, United States Code; (B) child pornography, as that term is defined in section 2256 of title 18, United States Code; or(C) harmful to minors." How is CIPA implemented? The FCC is charged with implementing filtering. In July, 2003, the FCC issued a ruling for the implementation of CIPA, which is available at hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-03-188A1.pdf Is SmartFilter, Bess edition "CIPA Compliant"? The FCC declined to set standards for "CIPA Compliance." In theory, any product that blocks or filters obscenity, child pornography, and material harmful to minors is CIPA compliant. But none of Secure Computing's products have "obscene" and "child porn" categories? CIPA and the FCC have left it up to schools and libraries on their own to "map" CIPA requirements to the categories of filtering vendors. Libraries commonly map sex and pornography categories. Does CIPA require that the filters be disabled on request? Not exactly. The Supreme Court cited the provision that allows libraries to disable filters for adults (not minors) as a reason for upholding the constitutionality of CIPA, but did not specifically state that libraries must disable filtering to avoid constitutional problems. However, most city attorneys are advising libraries to have disabling policies for adults.	Secure Web SmartFilter EDU (the leading education filtering solution) Secure Web SmartReporter Secure Web (Webwasher)

Program	Overview / Who is affected	Secure products that help meet these requirements
CISP (Visa Cardholder Information Security Program) And PCI-DSS (Payment Card Industry Data Security Standard) Key Information Security Principles Involved: Firewall Anti-virus Strong      authentication Data leakage Outbound security	Stolen credit card holder account data is a serious problem. Consumers want to be assured that when they use their bank card, that their account information is safe. Merchants and financial institutions alike continue to suffer losses due to fraud, as well as additional operating expenses that occur as a result of this fraud. The integrity of the payment systems, and consumers that use credit cards, can be protected through a series of best practices and information technology. What is CISP? CISP is a program created by VISA USA, designed to protect card holder data, regardless of where it resides, and ensure that members, merchants, and service providers maintain a high standard of information security. It helps to prevent identity theft, and the losses that can result from it. The PCI-DSS is an open standard supported across the entire credit card industry, and is based on the same set of standards. Behind the scenes: CISP and secure software Visa's Payment Application Best Practices (PABP) address the security risks that occur when magnetic stripe data or CVV2 values are stored after authentication by a payment application. This set of best practices helps software vendors create payment applications that ensure merchant CISP compliance. The requirements for PABP are derived from the Payment Card Industry Data Security Standard (PCI-DSS). How is CISP implemented? Procedural best practices include restricting physical access to card holder data, storing only the data that is necessary, not using vendor default configurations, and purging obsolete transaction data. CISP is also implemented on a technological basis with security software such as firewalls, anti-virus software, and strong authentication. How CISP compliance works All merchants and service providers that store, process, or transmit Visa cardholder data must comply. All payment channels, whether cards are processed in a physical store, online, or over the phone, come under the CISP program. Providers must adhere to the Payment Card Industry Data Security Standard, which provides a single method for safeguarding sensitive data for all card brands. Compliance is not difficult, and can easily be achieved through adherence to best practices, and use of an integrated security infrastructure. CISP uses the PCI Data Security Standard (PCI DSS) as its framework. The PCI standard has 12 basic requirements, which include: Install and maintain a firewall configuration Do not use vendor-supplied defaults Protect stored data Encrypt transmission o cardholder data and other sensitive information Use and update anti-virus software Develop and maintain secure systems Restrict access to data on a need-to-know basis Assign a unique ID to each person with access to the computer system Restrict physical access to cardholder data Track and monitor access to network resources and card holder data Test security systems and processes on a regular basis Maintain an information security policy In 2008, a new standard will be released based on VISA's PABP, to be known as the Payment Application Data Security Standard (PA-DSS). Benefits of compliance Members, merchants, and service providers that comply with CISP are able to meet their obligations to the Visa payment system, and also create an environment of trust and confidence. Compliance provides merchants with a competitive edge and allows them to retain a positive image, keep risks to a minimum, and safeguard information. In the process of complying, customers are protected, and vexing problems such as identity theft are kept at bay.	Enterprise Role-Based Access Control (RBAC) solutions Identity management with strong authentication for all users Digital certificate enforcement Detailed auditing of actions on data Content protection, including anti-virus, anti-spyware, and anti-spam Outbound security to prevent data leakage of consumer information Secure Computing products that help meet these requirements: Identity and access management, access control, configuration compliance, strong authentication, and role-based authorization SecureWire and Secure SafeWord Protecting data, networks, and applications Secure Firewall (Sidewinder) Secure Firewall Reporter Secure SnapGear Protecting the network against viruses and other malware Secure Web (Webwasher), Secure Web SmartFilter, Secure Web SmartReporter Also see our recent article on CISP

Program	Overview / Who is affected	Secure products that help meet these requirements
PA-DSS (Payment Application Data Security Standard) Key Information Security Principles Involved: Strong authentication Data leakage Outbound security	Security breaches and fraud in credit card transactions remains a problem, and part of the solution is ensuring that payment application providers and the software products they use are subject to consistent data security standards. Many security breaches target data from a card's magnetic stripe, card validation codes and values, PINs and PIN blocks. PA-DSS sets new standards for storing and securing this data. What is PA-DSS? The PCI Security Standards Council has added a new standard for payment application software, known as the Payment Application Data Security Standard (PA-DSS). PA DSS is an open standard, but is based on Visa's Payment Application Best Practices (PABP). The final version of PA DSS will be published in the first quarter of 2008. PA-DSS is endorsed by all five payment card brands, and sets a common foundation for adoption of secure payment applications. PA-DSS applies to software vendors and anyone else who develops payment applications that store, process, or transmit cardholder data. Internally developed applications are not subject to PA DSS, but are subject to PCI DSS (see the CISP requirements above). Behind the scenes: PA-DSS and secure software Visa's Payment Application Best Practices (PABP) address the security risks that occur when magnetic stripe data or CVV2 values are stored after authentication by a payment application. This set of best practices helps software vendors create payment applications that ensure merchant CISP compliance. How is PA-DSS implemented? Procedural best practices include restricting physical access to card holder data, storing only the data that is necessary, not using vendor default configurations, and purging obsolete transaction data. CISP is also implemented on a technological basis with security software such as firewalls, anti-virus software, and strong authentication How PA-DSS compliance works All merchants and service providers that store, process, or transmit Visa cardholder data must comply. All payment channels, whether cards are processed in a physical store, online, or over the phone, come under the CISP program. Providers must adhere to the Payment Card Industry Data Security Standard, which provides a single method for safeguarding sensitive data for all card brands. Compliance is not difficult, and can easily be achieved through adherence to best practices, and use of an integrated security infrastructure. PA-DSS is an open standard derived from Visa's Payment Application Best Practices (PABP), which include: Do not retain full magnetic stripe, code validation card, or value (CAV2, CID, CVC2, CVV2), or PIN block data. Protect stored cardholder data. Provide secure password features. Log application activity. Develop secure applications. Protect wireless transmissions. Test applications to address vulnerabilities. Facilitate secure network implementation. Cardholder data must never be stored on a server connected to the Internet. Facilitate secure remote software updates. Facilitate secure remote access to application. Encrypt sensitive traffic over public networks. Encrypt all non-console administrative access. Maintain instructional documentation and training programs for customers, resellers, and integrators. What's the difference between PA-DSS and PCI-DSS? PA-DSS is actually derived from the PCI-DSS. PA-DSS sets out a set of application guidelines that sets out what a payment application must support to allow that application's users to become PCI-DSS compliant. Vendors of payment applications are the primary target of PA-DSS. These vendors may not need to be PCI-DSS compliant, since they do not store, process, or transmit cardholder data themselves. However, because the applications will be used by merchants who do store, process or transmit data, the applications must be designed to facilitate PCI-DSS compliance. For more information on PCI-DSS, please visit our PCI-DSS solution site. Benefits of compliance Some older payment systems still store data such as magnetic stripe data, CVV2 and PIN data, and this leaves databases vulnerable. When developers comply with PA-DSS, new applications will eliminate this vulnerability, and minimize the possibility of fraud. Merchants and service providers that store, process or transmit cardholder data will be able to rely on their standardized secure payment applications, to ensure that they are maintaining a secure environment.	Enterprise Role-Based Access Control (RBAC) solutions Identity management with strong authentication for all users Digital certificate enforcement Detailed auditing of actions on data Outbound security to prevent data leakage of consumer information Secure Computing products that help meet these requirements: Identity and access management, access control, configuration compliance, strong authentication, and role-based authorization SecureWire and Secure SafeWord Protecting data, networks, and applications Secure Firewall (Sidewinder) Secure Firewall Reporter Secure SnapGear Also see our recent article on CISP

Federal policy	Overview / Who is affected	Secure products that help meet these requirements
Federal Circular A-123 Key Information Security Principles Involved: Confidentiality Continuity of secure      network operations Secure information      access Enterprise &      application-level      policy enforcement Detailed auditing      capability	The OMB (Office of Management and Budget) Circular A-123, originally issued in 1995 and revised in December 2004, was created to provide guidance to managers of federal agencies on establishing accountability and internal controls. The 2004 revision updates internal control standards, and puts forth new requirements for conducting assessments on the effectiveness of internal controls over financial reporting. Circular A-123 is very similar to Sarbanes-Oxley, but instead of being directed at publicly-held corporations, it is meant for agencies of the federal government. Sarbanes-Oxley does not directly mandate computer security in relation to financial data, but it does require companies to maintain high standards in establishing, maintaining, and reporting on internal controls. Those internal controls, by inference, mean tight computer security in the area of financials. Circular A-123, while it does not require an auditor's opinion like Sarbanes-Oxley does, imposes the same type of guidance on federal agencies. OMB can however, at its discretion, require an internal control opinion if it determines that any given agency's controls are not up to standard. The revised Circular A-123 has the same intent as Sarbanes-Oxley—that is, to strengthen the credibility of the annual agency management assessments of financial status, which the government is required to create under the Federal Managers' Financial Integrity Act. The new internal controls specified by the Federal government is meant to be all-encompassing, and a central part of the cycle of planning, budgeting, management, accounting, and auditing. Circular A-123 sets out a framework of accountability and management controls over federal programs. The revised version outlines stricter financial control standards, enacting a year-end report that will ensure the integrity of virtually everything in government agencies' financial statements. As the revision states, the rule is designed to ensure that "Federal resources are used efficiently and effectively to achieve desired objectives." It is a simple and necessary goal that requires some technological oversight, and (as is the case with Sarbanes-Oxley), that proper security measures be implemented to ensure the integrity of agency data and reporting.	Enterprise Role-Based Access Control (RBAC) solutions Identity management with strong authentication for all users Digital certificate enforcement Detailed auditing of actions on data Secure Computing products that help meet these requirements: Identity and access management, access control, configuration compliance, strong authentication, and role-based authorization SecureWire and Secure SafeWord Securing data, networks, and applications Secure Firewall (Sidewinder) Secure Firewall Reporter Secure SnapGear Also see our recent article on Federal Circular A-123